Following the huge data breach at Target, which was first reported on 18 December, and has affected as many as 40 million credit and debit card holders, I can’t seem to be able to open a browser without stumbling into a news headline asking why the U.S. hasn’t yet ditched the magnetic stripe and adopted the EMV technology, as the rest of the developed world has done. At first, my reaction was “Don’t you read UniBul’s blog?”, for we’ve covered the subject quite extensively over the years. But then, on reflection, I realized that the world doesn’t revolve around UniBul quite yet and thought I should revisit the topic. In my defense, it only took me two weeks to figure that out.
So, the short answer to the question everyone is asking is that it’s all about money. It turns out that, rather than embark on a years-long roll-out of the more secure EMV card technology, U.S. credit card companies have found it preferable to continue to rely on the old-fashioned mag-stripe and absorb huge fraud losses in the process. Not to mention that, as European merchants don’t always know how to accept mag-stripe cards on their EMV terminals, many Americans find themselves unable to use their cards in Europe, which leads to additional hundreds of millions of dollars in lost annual revenues for U.S. card issuers ($447 million in 2008 alone). Yet, evidently the sum of these losses and foregone revenues pales in comparison to the $3 billion needed for the wholesale switch to EMV (according to an estimate by the Mercator Advisory Group, a consultancy). The good news is that we are making progress and the EMV technology is slowly arriving in America. But let’s take a closer look at where we stand at the moment and where we are heading.
Card Fraud in the U.S.
Let’s start with fraud losses. The American Bankers Association’s?á2011 Deposit Account Fraud Survey Report told us that in 2010 debit card fraud losses totaled $955 million. From a?áNilson Report study?áwe learned that the cumulative bank card losses (credit and debit) in 2010 amounted to?á$3.56 billion. A?áPaymentsSource report has calculated that card issuers alone have lost $1.16 billion to fraud in 2010.
Douglas A. King from the Federal Reserve Bank of Atlanta looked closely into these reports and here is what he found. According to PaymentsSource’s bank card profitability studies, financial institutions’ credit card-related fraud losses were the largest among payment cards and grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion. After an aberration in 2009, when credit card fraud losses fell by 14 percent, they grew again in 2010, by 22 percent. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period.
So, once again, U.S. card issuers have been absorbing huge, and growing, credit card fraud losses. And they knew perfectly well what would happen if they switched to EMV — they knew because the Europeans had already done it. Here is, for example, what happened in the U.K., after the Brits switched from magnetic-stripe to EMV credit cards in 2004:
And here is what happened in France:
Of course, the overall picture was much more complicated than these two charts suggest, but, clearly, the shift to EMV reduced fraud in Europe. It is also clear that the U.S. card industry needed no convincing that a switch to EMV should be made, at some point. After all, the card issuers bear the bulk of card fraud losses, as seen in the chart below (source):
As you can see, cardholders have suffered no fraud-related losses at all, which have been split between the issuers and the merchants. In 2006, credit card fraud has comprised 61.9 percent of the issuers’ losses, ATM withdrawals have added 19.8 percent, signature debit transactions have accounted for 16.8 percent, and the remaining less than two percent have belonged to PIN debit payments.
The Shift to EMV Is Underway
And yet, despite suffering all these losses, the U.S. credit card industry, rather than rush toward EMV adoption, has instead been dragging its feet. As already noted, the biggest reason was that the switch would be costly. Yet, Visa finally decided to force the issue in 2011, when it announced its plans to “accelerate chip migration and adoption of mobile payments”. The acceleration in question would come as a result of two separate initiatives:
Build Processing Infrastructure for Chip Acceptance – Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique. Visa will provide additional guidance as part of its bi-annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions.
Establish a Counterfeit Fraud Liability Shift — Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, 2015. Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties. The U.S. is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments.
What you need to realize is that the issuance of chip cards is the far smaller part of the puzzle that needs to be solved, which is why Visa has focused its initiatives on the acquirers and their merchants. As acquirers wouldn’t want to take on any fraud-related losses, they would put pressure on their merchants to upgrade their POS systems and make them EMV-compatible.
So, yes, the U.S. has been relying on an outdated credit card technology for much longer than it should have done. And yes, Visa and MasterCard should have been quicker to force EMV adoption on their member banks, as that would, in the long run, have benefited them more than anyone else. Would an earlier EMV adoption have prevented a Target-like data breach? No, it would not, although it is just possible that it would have made it more difficult for the hackers to make use of the cardholders’ account information, although that is debatable. Still, EMV is coming and that is good news.
Image credit: Europol.